1.
NIST SP 800-37
(rev 2)
Risk Management Framework for
Information Systems and
Organizations: A System Life Cycle
Approach for Security and Privacy
NIST SP 800-37 (REV 2)
NIST SP 800-37 (REV 1)

2.
NIST 800-37 Revision 2 - SCHEDULE
NIST Special Publication 800-37, Revision 2
Risk Management Framework for Security and Privacy
● Initial Public Draft: May 2018
● Final Public Draft: July 2018
● Final Publication: October 2018
NIST Special Publication 800-53, Revision 5
Security and Privacy Controls
● Final Public Draft: October 2018
● Final Publication: December 2018
Source: https://csrc.nist.gov/projects/risk-management/schedule

3.
Overview
● Sources of NIST 800-37 (rev 2)
● What is NIST SP 800-37 (rev 2)
● Difference between 800-37 Revision
1 & 2
● Conclusion: Main thing you should
know

4.
Sources of NIST
SP 800-37 (rev 2)
Knowing the source of 800-7 (rev 2)
allows better context and
understanding.
NIST SP 800-37 (REV 2)
NIST SP 800-37 (REV 1)

5.
NIST 800-37 Revision 2 - Source of
Changes
NIST 800-37 Rev 2: Risk Management Framework for Information Systems
and Organizations: A System Life Cycle Approach for Security and Privacy
Source of Changes:
● President’s Executive Order on Strengthening the Cybersecurity of
Federal Networks and Critical Infrastructure
● Office of Management and Budget Memorandum M-17-25 - next-
generation Risk Management Framework (RMF) for systems and
organizations
● NIST SP 800-53 Revision 5 Coordination
Source: E.O. Strengthening Cybersecurity of Federal Networks
Source: M-17-25 OMB

6.
NIST 800-37 Revision 2 - Executive
Order
President’s Executive Order on Strengthening the Cybersecurity of Federal
Networks and Critical Infrastructure
● National Institute of Standards and Technology’s (NIST) Framework for
Improving Critical Infrastructure Cybersecurity
● Focus on critical infrastructure targets with highest risk
● Securing the Internet and focus on Cybersecurity training
Source: E.O. Strengthening Cybersecurity of Federal Networks
Source: M-17-25 OMB
Source: Framework for Improving Cybersecurity of Critical Infrastructure

7.
NIST 800-37 Revision 2 - OMB M-17-25
Office of Management and Budget Memorandum M-17-25 - next-generation
Risk Management Framework (RMF) for systems and organizations
● Memorandum to implement Improvements to Critical Infrastructure
Cybersecurity
● Reporting on Agency Risk Management Assessments to DHS
● Action Plan for Implementation of the Framework
● Cybersecurity Framework: Identify, Protect, Detect, Respond, Recover
Source: M-17-25 OMB
Source: Framework for Improving Cybersecurity of Critical Infrastructure

8.
NIST 800-37 Revision 2 - NIST 800-53
Rev 5
NIST SP 800-53 (Revision 5) Coordination
● Security and privacy controls more outcome-based
● Fully integrating the privacy controls
● Separating the control selection process from the actual controls
● Incorporating new, state-of-the-practice controls based on threat
intelligence
● Implementation of Cybersecurity Framework: Identify, Protect, Detect,
Respond, Recover
Source: Framework for Improving Cybersecurity of Critical Infrastructure
Source: NIST SP 800-53 Rev 5

9.
What is NIST SP
800-37 (rev 2) &
Changes
NIST SP 800-37 (REV 2)
NIST SP 800-37 (REV 1)

10.
What is NIST 800-37 (Rev 2)
Provide guidelines for applying the Risk Management Framework to federal
information systems to include conducting the activities of security
categorization, security control selection and implementation, security
control assessment, information system authorization, and security.
It is just a process the guides an organization through very thorough
security during the life cycle of an important system.
NIST 800-37 Revision 2 is an upgrade to this process.
Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-
37r1.pdf

11.
NIST 800-37 Revision 2 - NAME
NIST 800-37 Rev 1: Guide for Applying the Risk Management Framework
to Federal Information Systems: a Security Life Cycle Approach
NIST 800-37 Rev 2: Risk Management Framework for Information Systems
and Organizations: A System Life Cycle Approach for Security and Privacy
Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-
37r1.pdf

12.
NIST 800-37 Revision 2 - NAME
NIST 800-37 Rev 2: Risk Management Framework for Information Systems and
Organizations: A System Life Cycle Approach for Security and Privacy
Inline with NIST SP 800-53 Revision 5, Security and Privacy Controls for
Information Systems and Organizations
Puts privacy upfront.
Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-
37r1.pdf
Source: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft

13.
NIST 800-37 Revision 2 - (4) Objectives
There are four major objectives for this update—
● Communication between the risk management processes and activities at the C-
suite level of the organization and the processes and activities at the system and
operational level of the organization.
● To institutionalize critical enterprise-wide risk management preparatory activities to
facilitate a more efficient and cost-effective execution of the Risk Management
Framework at the system and operational level.
● To demonstrate how the Cybersecurity Framework can be implemented using the
established NIST risk management processes (i.e., developing a Federal use case).
● To provide an integration of privacy concepts into the Risk Management Framework
and support the use of the consolidated security and privacy control catalog in NIST
Special Publication 800-53, Revision 5.

14.
NIST 800-37 Revision 2 - NIST 800-37
Rev 2
Communication between the risk management processes and activities at the C-suite
level; To institutionalize critical enterprise-wide risk management preparatory activities
- Assign roles
- Create Strategy
- Identify stakeholders
- Identify information life cycle
- Placement of system
- Create monitoring program

15.
NIST 800-37 Revision 2 - NIST 800-53
Rev 5
The primary objectives for institutionalizing organizational preparation are as follows:
● To facilitate better communication between senior leaders and executives at the
enterprise and mission/business process levels and system owners
● To facilitate organization-wide identification of common controls and the development of
organization-wide tailored security and privacy control baselines, to reduce the workload
on individual system owners and the cost of system development and protection.
● To reduce the complexity of the IT infrastructure by consolidating, standardizing, and
optimizing systems, applications, and services through the application of enterprise
architecture concepts and models.
● To identify, prioritize, and focus resources on high-value assets and high-impact systems
that require increased levels of protection—taking steps commensurate with risk such as
moving lower-impact systems to cloud or shared services, systems, and applications.

16.
NIST 800-37 Revision 2 - Cybersecurity
Framework & RMF
Put preparation in the center of the organization.

17.
NIST 800-37 Revision 2 - Cybersecurity
Framework & RMF
Put preparation in the center of the organization.

18.
NIST 800-37 Revision 2 - Cybersecurity
Framework & RMF
Put preparation in the center of the organization.

19.
NIST 800-37 Revision 2 - Privacy
Put preparation in the center of the organization.

20.
Conclusion
What is the main thing I should
know?
NIST SP 800-37 (REV 2)
NIST SP 800-37 (REV 1)

21.
NIST 800-37 Revision 2 - NIST 800-53
Rev 5
Main things you should know:
● Check out the sources for context
● NIST 800-37 getting pushed to the forefront
● Cybersecurity Framework (what is it)